[cups.general] Q. Proper way to startup cupsd as a non-rootuseras opposed to debian hacks?

Kurt Pfeifle kpfeifle at danka.de
Tue Jun 6 10:07:48 PDT 2006


Klaus Singvogel <kssingvo at suse.de> wrote (Tuesday 06 June 2006 18:08):

> Michael Sweet wrote:
> [...]
>> *All* of the CUPS-related advisories in the last
>> 4 years have been in the filters or support programs and not in the
>> scheduler, backend, or CUPS API code that runs as root.
> 
> *smile* In the last 4 years nothing in the scheduler?! :-)
> Very funny. Harhar. :-)
> 
> Here are three issues from 2004 concerning the scheduler:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2154

* Bug in matching printer name case sensitve or not; not related
  on wether scheduler runs as root or as user IMHO.

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0923

* That one was for xpdf code; meaning "filter" in CUPS, not scheduler.

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0558

* DOS attack; can make CUPS stop listening on :631. Not dependent
  on wether scheduler runs as root or as user IMHO.
 
> I stopped looking through my ChangeLog afterwards, but I'm sure there
> are more.

So indeed, 2 of your examples do proof that the scheduler was/is 
vulnerable to bugs.

But to me, they do not proof the point in question: running as user 
will increase security.

> Regards,
> Klaus.

Cheers,
Kurt




More information about the cups mailing list